Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use a deterministic seed for kernel RANDSTRUCT, and re-enable in hardened kernels #53802

Merged
merged 2 commits into from Jan 11, 2019
Merged
Changes from 1 commit
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

Prev

kernel: make the RANDSTRUCT seed deterministic

  • Loading branch information...
delroth committed Jan 11, 2019
commit 1b9bf8fa7559d1bbf030f3fe3513d25eada65a41
@@ -88,7 +88,10 @@ let

inherit src;

patches = map (p: p.patch) kernelPatches;
patches =
map (p: p.patch) kernelPatches
# Required for deterministic builds along with some postPatch magic.
++ optional (stdenv.lib.versionAtLeast version "4.13") ./randstruct-provide-seed.patch;

prePatch = ''
for mf in $(find -name Makefile -o -name Makefile.include -o -name install.sh); do
@@ -99,6 +102,19 @@ let
sed -i scripts/ld-version.sh -e "s|/usr/bin/awk|${buildPackages.gawk}/bin/awk|"
'';

postPatch = ''
# Set randstruct seed to a deterministic but diversified value. Note:
# we could have instead patched gen-random-seed.sh to take input from
# the buildFlags, but that would require also patching the kernel's
# toplevel Makefile to add a variable export. This would be likely to
# cause future patch conflicts.
if [ -f scripts/gcc-plugins/gen-random-seed.sh ]; then
substituteInPlace scripts/gcc-plugins/gen-random-seed.sh \
--replace NIXOS_RANDSTRUCT_SEED \
$(echo ${src} ${configfile} | sha256sum | cut -d ' ' -f 1 | tr -d '\n')
fi
'';

configurePhase = ''
runHook preConfigure
@@ -0,0 +1,12 @@
diff -ru a/scripts/gcc-plugins/gen-random-seed.sh b/scripts/gcc-plugins/gen-random-seed.sh
--- a/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 11:50:29.228258920 +0100
+++ b/scripts/gcc-plugins/gen-random-seed.sh 2019-01-11 12:18:33.555902720 +0100
@@ -2,7 +2,7 @@
# SPDX-License-Identifier: GPL-2.0

if [ ! -f "$1" ]; then
- SEED=`od -A n -t x8 -N 32 /dev/urandom | tr -d ' \n'`
+ SEED="NIXOS_RANDSTRUCT_SEED"
echo "const char *randstruct_seed = \"$SEED\";" > "$1"
HASH=`echo -n "$SEED" | sha256sum | cut -d" " -f1 | tr -d ' \n'`
echo "#define RANDSTRUCT_HASHED_SEED \"$HASH\"" > "$2"
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.